FHA eases cyber reporting requirements for lenders

The Federal Housing Administration is walking back the tight deadlines it set for mortgage lenders reporting cyber breaches.

According to a draft mortgagee letter, the FHA wants to implement a 36 hour window of time for companies to report a cyber incident to the agency.

This is a notable departure from the 12 hours allotted previously, and more in line with timelines set by the government-sponsored enterprises. (Fannie Mae requires lenders to report within 72 hours if a potential hack has taken place, while Freddie Mac requires lenders to report within 48 hours of detection.)

The administration further wants to update its definition of a cyber incident, dubbing it an "occurrence that results in actual harm to the confidentiality, integrity or availability of an information system."

It also wants to outline what a reportable incident actually is, noting it is one that has materially disrupted or degraded a lender's ability to meet its operation obligations for originating or servicing FHA-insured loans.

These revisions will supersede previous guidance once they are finalized and published, the FHA wrote Sept. 30 in its communication to lenders.

In a statement Friday, the administration said its revisions are a response to stakeholder feedback "to provide clarity and better align its reporting requirements with computer-security incident notification standards established by the Federal banking regulators."

The agency's first iteration of data breach reporting requirements went into effect in May and cast a wide net on cyber-related incidents that should be reported.At the time, the FHA said cybersecurity incidents include those that actually or potentially jeopardize "the confidentiality, integrity, or availability of information," making all events – big or small – fall into that purview.

"HUD issued this mortgagee letter to reinforce with program participants the importance of quickly reporting to HUD, addressing, and tracking cyber-security incidents in light of the nationwide increase in incidents in recent years," a HUD spokesperson wrote in May.

The administration's move to implement data breach timelines for lenders comes during a time of increased data breach activity.In the past year, numerous megalenders have had their systems hit. In some cases, the attacks have been carried out at third-party vendors.

Loandepot, Mr. Cooper, Academy Mortgage and Planet Home Lending are among mortgage shops impacted by such incidents. Title companies have also been hit, including First American and Fidelity National Financial

All in all, millions of customers have had their personal identifiable information stolen and some litigation has sprouted because of it.

For reprint and licensing requests for this article, click here.
Cyber security FHA Data breaches Regulation and compliance
MORE FROM NATIONAL MORTGAGE NEWS